Hello,
I try to set up my own posix-group to get a dynamic posix-group to use it to give filesystempermission. So I did the following: 1. Create to new objectclasses: ------------ objectclass (1.3.6.1.4.1.23456.1.2.1 NAME 'stkaPosixGroup' DESC 'advanced PosixGroup for dynamic use' SUP top AUXILIARY MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) )
objectclass (1.3.6.1.4.1.23456.1.2.2 NAME 'stkaPosixAccount' DESC 'advanced PosixAccount for dynamic use' SUP posixAccount AUXILIARY MAY ( memberUID )) ------------ YES I know 23456 is not my ODI. It's still a test!
2. Then I configured the dynlist-overlay in slad.conf ------------ overlay dynlist dynlist-attrset groupOfURLs MemberURL ------------
3. I created a new dynamic group: ------------ dn: cn=dynposix,ou=groups,dc=example,dc=net objectClass: groupOfURLs objectClass: stkaPosixGroup gidNumber: 5000 cn: dynposix memberURL: ldap:///dc=example,dc=net?memberuid?sub?(title=admin) ------------
4. I added the new objectclass stkaPosixAccout to my users: ------------ dn: cn=Stefan Kania,ou=users,dc=example,dc=net objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: stkaPosixAccount loginShell: /bin/bash homeDirectory: /home/skania uid: skania cn: Stefan Kania userPassword:: e1NTSEF9cVk4eDVEaVhmYTZxbEw4MDBnRTlkazdtVDd2TzVocUI= uidNumber: 10000 gidNumber: 10000 sn: Kania givenName: Stefan memberUid: skania title: admin ------------
5. I set the attribute "title" for two users to "admin" and got ------------ root@ldapserver:/# ldapsearch -x -D cn=admin,dc=example,dc=net -W -LLL 'cn=dynposix' dn: cn=dynposix,ou=groups,dc=example,dc=net objectClass: groupOfURLs objectClass: stkaPosixGroup gidNumber: 5000 cn: dynposix memberURL: ldap:///dc=example,dc=net?memberuid?sub?(title=admin) memberUid: skania memberUid: ktom ------------ So my users are member of the group.
5. I use the sssd as ldap-client so I changed the configuration to: ------------ [sssd] config_file_version = 2 services = nss, pam domains = EXAMPLE
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[domain/EXAMPLE] ldap_schema=rfc2307 ldap_uri = ldap://ldapserver.example.net:389 ldap_search_base=dc=example,dc=net ldap_default_bind_dn=uid=sssd-user,ou=users,dc=example,dc=net ldap_default_authtok=geheim id_provider=ldap auth_provider=ldap chpass_provider = ldap ldap_chpass_uri = ldap://ldapserver.example.net:389 cache_credentials = True ldap_tls_cacertdir = /etc/ssl/zertifikate/demoCA ldap_tls_cacert = /etc/ssl/zertifikate/demoCA/cacert.pem ldap_id_use_start_tls = True ldap_group_object_class = stkaPosixGroup enumerate = true ------------ I added the line "ldap_group_object_class = stkaPosixGroup"
I Know "enumerate = true" is not a good idea but it's still a test ;-)
Now the tests: --------- getent group . . dynposix:*:5000: . . --------
The group will be listed but non of the members. So I did the following: -------- root@ldapserver:~# ldapsearch -x -D cn=admin,dc=example,dc=net -W -LLL 'cn=dynposix' dn: cn=dynposix,ou=groups,dc=example,dc=net objectClass: groupOfURLs objectClass: stkaPosixGroup gidNumber: 5000 cn: dynposix memberURL: ldap:///dc=example,dc=net?memberuid?sub?(title=admin) memberUid: skania memberUid: ktom -------- There are two memberUid entries.
Now I did another test searching for "memberuid" -------- root@ldapserver:~# ldapsearch -x -D cn=admin,dc=example,dc=net -W -LLL 'memberuid=*' attrs dn dn: cn=Stefan Kania,ou=users,dc=example,dc=net
dn: cn=Kater Tom,ou=users,dc=example,dc=net -------- As you can see, I only get the two users but not my group "dynposix" listed.
When i do a "id ktom" I got: -------- root@ldapserver:~# id ktom uid=10001(ktom) gid=10000 groups=10000 -------- Also no group "dynposix"
It looks like it is not possible to search for the attribute "memberUid" if it's assigned to a groupOfUrls.
Does anyone has an idea where did something wrong?
--On Saturday, November 23, 2019 6:37 PM +0100 Stefan Kania stefan@kania-online.de wrote:
It looks like it is not possible to search for the attribute "memberUid" if it's assigned to a groupOfUrls.
Currently, the "memberUid" value on the group has no way to be searched on since it doesn't actually exist (it's derived *when* you do the search against the group object), so there's no way to search for it, thus the results you see. There's work to change this behavior (See ITS#9121) for OpenLDAP 2.5.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org